Electronic Health Reporter

A new report by Emsisoft documents an increase in ransomware attacks in the US, with 2,207 US hospitals, schools and governments directly impacted in 2023.

According to the report, last year a total of 46 hospital systems and 141 hospitals were hit by ransomware attacks and at least 32 of the 46 systems had protected health information stolen.

Citing data from a University of Minnesota School of Public Health study, between 2016 to 2021, errors and delays from attacks on the US healthcare systems killed an estimated 42 to 67 Medicare patients, or about one per month.

“The longer the ransomware problem remains unfixed, the more people will be killed by it. The only viable mechanism by which governments can quickly reduce ransomware volumes is to ban ransom payments. Ransomware is a profit-driven enterprise. If it is made unprofitable, most attacks will quickly stop,” the report says.

Experts with Cigent, EchoMark and Horizon3.ai offer perspective:

Mark Campbell, senior director, Cigent:

The only real way to end ransomware is to make it no longer profitable for the bad actors. While the government “banning” payments or better regulating the cryptocurrency the ransomware groups use is great in theory, it is not very practical for ransomware victims, especially if it could literally impact lives. Governments would better help organizations to protect themselves by providing guidance and assistance to drive wider adoption of innovative and preventative cybersecurity measures.

Troy Batterberry, CEO and Founder, EchoMark:

The alarming rise in ransomware attacks targeting critical institutions, highlighted in the recent report by Emsisoft, reveals staggering statistics about the persistent threat to our healthcare systems. Addressing this escalating issue has proven difficult for companies across industries due to improper or insufficient security measures to combat today’s threat actors.

Cyber criminals will not stop as long as there are accessible targets. Even after paying a ransom, there’s no guarantee they won’t strike again. Implementing clear and robust security measures such as access management, secure information sharing, and regular training across an organization is a necessary step to mitigate repeated widespread attacks.”

Stephen Gates, Principal Security SME, Horizon3.ai:

In the context of governments potentially banning ransomware payments, it feels like this suggestion will do little more than put a band aid on a gaping wound. Instead, the best way for to defeat human-operated ransom-based attacks is for governments to mandate self-assessments whereby organizations go on the offensive and continuously attack themselves so they can discover their truly exploitable weaknesses that are fueling and funding today’s extortionists.

The self-assessments mentioned here are not your everyday vulnerability scans, attack simulations, or compliance checkbox ticks. Instead, they are real-world, offensive-based cyberattacks using the same tactics, techniques, and procedures (TTPs) attackers are using. Autonomous self-assessment technologies are already available that have been designed from the ground up to safely mimic what attackers are now successfully doing.

Organizations must uncover the blind spots in their security postures that go beyond known and patchable vulnerabilities, such as easily compromised and/or reused credentials, completely exposed data, software and hardware misconfigurations, poorly implemented security controls, and weak or unenforceable security policies. These are the root causes that must be found and fixed before attackers use these weaknesses to fund their next campaign.